Note: This article reflects a draft spec. The final product may be slightly different from what is herein described.

What's the idea here ?

The idea is that the 'computer insecurity industry' walks one path, while we walk another. It is plainly impossible to either securely operate computers or operate secure computers - or for that matter even live - unless absolute guarantees can be presented. While teeming with all sorts of reptilian and insect pullulation, the swamp of relativism is not hospitable to human life.

It is sad reality that such guarantees are all but absent in today's computing world. We make it our business and purpose in life to create products that may be used to enact absolute guarantees, to verify them and to enforce them - and in the process we both create the measures by which you can evaluate the freedom available in the world in which you live as well as provide the bricks upon which a free world may be built, one bit at a time.

Today's installment of these lofty ideas is a simple USB stick to make your private keys absolutely secure.

What is this Cardano thing then ?

The Cardanoi is a custom made solid-state USB mass-storage device, similar in size and shape to a standard external hard drive. The unit comes equipped with a USB connector, a red toggle switch (enclosed under a safety flip-cover) and a bicolor indicator light.

What does it do ?

The Cardano allows you to sign and decrypt gpg messages while ensuring that your private key remains inaccessible to an attacker, even should that attacker have controlii of the machine Cardano is attached to.

Consider the case of visiting a random net cafe or public library. Without Cardano you are in a relatively tough spot : even should you carry your gpg keyring and gpg software on a USB stick, and even should you be able to install gpg software on the respective computer, typing in the keyring passphrase would in all likelihood compromise that key. For instance if there's a keylogger present on the computer, the keylogger's owner now possessed of your gpg keyring and your gpg passphrase is just as much in control of your private key as you are.

With Cardano you simply pop the unit in, install no further software and proceed on your merry way, as if you had an airgappediii, linux based system available right there. One example use case would be identifying with gribble : you receive the challenge encrypted message from gribble, you put it through Cardano and you have the decrypted line necessary to indentify - all while your private key remains 100% safe.

Another use case would be the implementation of a better 2FA system. Yet another use case would be secure backups of a remote system : simply encrypt your backup to the correct key on the remote machine, download the encrypted file (even over a cleartext connection). Whenever the backups are needed you can retrieve the plaintext content by copying your encrypted back-up to a local Cardano unit.

How does it work ?

A) Key generation.

This step is mandatory upon first use. It is not necessary to supply power via the USB connector for this process - the internal battery will power Cardano during key generation.

1) Flip open the safety cover and throw the red toggle switch into the position marked 'ZAP.' The indicator light will flash red.

2) Return the toggle to the 'ARMED' position. The indicator light will flash green, and after approximately thirty seconds key generation will have completed.iv

The indicator will then turn a solid green. The device can now be plugged into a PC, which will recognize it as a thumb drive containing a 'FAT16' partition. Look for the file named 'PUB'. This is a gpg-compatible 'ASCII armored' public key. The key's identifier string is fixed, and contains the serial number printed on the bottom of the chassis.

B) GPG signature.

Attach your Cardano to a PC and copy over the payload to be signed in the appropriate directory.

On a sane operating system your device will at this point signal that it has been ejected (without any need for you to physically touch it), process the file, write the intended result to the FAT partition and signal that it has been re-inserted, at which point you will find the signed file on the USB drive, which you may copy normally. At no point does Cardano store what you send to it, but simply processes the incoming data stream and stores it as the intended result. The filename will be changed to append the operation count after the filename, before the extension.

If running MS Windows or Mac OS you will need to software-'eject' the device yourself to ensure that the OS actually flushes your copied file to the stick.v

C) Decryption

Attach your Cardano to a PC and place the payload to be decrypted in the appropriate directory. The drive will go through the same process as explained in B above.

D) Self-destruct

This is in fact the first half of the Key Generation operation. (Section A.) Your Cardano is not actually destroyed or otherwise rendered inoperable by this action, but the current contents of your private key storage will be irretrievably lost.

1) Flip open the safety cover and throw the red toggle switch into the position marked 'ZAP.' The indicator light will flash red. While the toggle remains in this position, the key storage EEPROM will be filled in its entirety with zeroes, then with ones, and then once again with a sequence of random bits distilled from the built-in analog entropy source. This process will repeat until the toggle is returned to the 'ARMED' position or until the internal battery is exhausted.vi

If you are faced with the imminent loss of your Cardano to a malefactor, leave the red toggle in this position. There is absolutely no way known or conceivable through which a private key could be retrieved after this process. Do not casually throw the zap switch without having fully considered the implications for your security arrangements. Once zapped that key is gone. Gone.

2) Return the toggle to the 'ARMED' position. The indicator light will flash green, and after approximately half a minute key generation is complete. The old key has vanished, and a new one will have taken its place.

At the end of this procedure, the working slate will have been re-formatted, and will appear empty - as Cardano no longer possesses the old block-cipher key.vii

How is it made ?

Other than the metal USB connector and the chassis with its lights and lever which are visible to visual inspection, the Cardano contains :

A) The key storage EEPROM. This is socketed for ease of removal and destruction should your application demand this.viii It can be replaced with any industry-standard SPI EEPROM of 8KB capacity or greater. Do not expect to be able to retrieve keys by removing this EEPROM : all keys are enciphered with a random block-cipherix key which is unique to your particular unit's firmware.

B) Cardano's firmware. This is a socketed antifuse (OTP) ROM which is unique to your unit and is engraved with the latter's serial number. If desired, it can be read on a common instrument sold for this purpose and its contents checksummed or otherwise perused. The checksum of your firmware ROM is printed on the bottom of the chassis, under the unit's serial number. For your safety, this ROM is non-reprogrammable. Please contact us for upgrades.

C) Working slate ROM. This Flash ROM is removable, and may be inspected or replacedx by customers either before deploying the unit or at any point during.

D) Internal battery. This is a disposable lithium cell. Please contact us or your favourite local electronics vendor for replacements. A working battery is required for the Key Generation / Self-Destruct operation, and in the interest of your own safety you are advised to not let it get to its absolute last legs.

E) Entropy generator. This is an avalanche noise array, with some sanity checking in place.xi

These components are assembled together in such a way that only the firmware has access to the private key storage, which it uses in specified, non-reprogrammable ways which do not include any way to dump the key.

What if the thing breaks ?

If the file 'SAD' appears on your working slate, please consult its contents for maintenance instructions. Something has gone seriously wrong, included but not limited to: failure of the key-storage EEPROM; the working slate; the entropy generator; or the internal battery.

What if someone steals my Cardano ?

You should probably let any third parties you are in communication with know that you will be using a new public key. Ideally you accomplish this by signing a declaration / the new public key with your known master, such as for instance by use of your secret, buried-in-the-garden master Cardano. Because yes, you can have more than one of these things.

I forgot my Cardano at the library, and now I don't know if someone used it while I was away.

Yes, you do know. The Cardano counts each operation. If the current count is above what it was when you left the unit behind, it has been used that many times. There is no easy way for an attacker to modify that value, and any casual attempt would likely leave the unit in quite a sad state.

That aside, note that this is not the intended mode of operation for the unit, and if at all possible you would be well advised to rescind as a matter of policy any public keys for any units which you did not maintain under your uninterrupted physical control.

Why is Cardano better than just buying an old laptop off eBay ?

For one, a Cardano is smaller and lighter. For another, a Cardano is probably cheaper.xii More importantly, the Cardano has much better entropy generation than is available on any consumer x86 machine made before 2005 or soxiii.

I am a developer, can I help ?

Yes. The most useful thing you can do is change any system that you control which relies on "2FA" to be able to use Cardano based 2FA. This will require you to obtain and store a user's public key, and then issue challenges encrypted to that public key as part of the verification process. This is very much in your best interest, as the Cardano provides much better security than what can be obtained from generic 2FA usb sticks or smart phones.

———

So named in honor of Girolamo Cardano (1501-1576), Italian Renaissance polymath, as well as one of the girl's cats, which hereby promises to not chew electronic parts ever again. [↩]

This is not a misrepresentation of fact, as you will see in the technical description. [↩]

For increasing the safety of your key it is advisable to place the unit into a Faraday cage - such as for instance a correctly installed, not powered on microwave oven - during key generation. [↩]

You still won't need to actually unplug the stick. In many cases it may also be possible to issue an equivalent command to linux' mount -o sync /dev/sdb1 /mnt/usb or otherwise disable the overbearing OS cache for USB drives - please refer to your OS documentation for further instructions. [↩]

On a fresh Cardano the battery lifetime will far exceed any reasonable application of this procedure. If your battery is getting iffy you are well advised to either replace it or get in touch with us to have your unit serviced. [↩]

The indicated manner of destroying EEPROMS is through oxidation, for instance through the use of a high temperature controlled flame such as from a magnesium strip. Alternative chemical destruction such as for instance through Brønsted acids may also be effectual. Do not rely on electric or electromagnetic means for this application. [↩]

Should you not wish to obtain a new unit it can be replaced when it has exhausted its maximum write-cycle count. Stressing your Cardano unit in this manner is perhaps unadvisable, but you are entitled to your own decisions. [↩]

Note that if you are a security researcher or cryptography specialist and would like to verify the quality of our on-board entropy generation we will be happy to send you our entropy generator at no cost to you, in consideration of a promise to publish your review within some reasonable time frame. Please contact us with an url to your blog for this purpose. [↩]

On a cash basis. It would take you at the minimum a few hours of expert time to set-up your second hand laptop in such a way as to offer the same guarantees Cardano offers out of the box, putting the full cost of the laptop alternative squarely in the four figures range. [↩]

After that date the odds that the CPU has been diddled to provide crackable "entropy" are significant. [↩]

Would be interesting to compare this with Trezor, not sure if all above scenarios were considered in Trezor design. On the other side, Trezor has a display where you can verify it's really desired transaction before confirming it.

I'll just leave this here :
- Generation of a revocation certificate,
- Ability to read the private key for 30 minutes after generation for backup purposes if desirable
- Ability to protect the key with a passphrase set with a text file that's wiped each time it's read and requires re-inputting each time the device is re-connected (the key generation would encrypt the key with the passphrase if such a file is found at key-generation time)
- Ability to generate ECC keys instead of RSA keys

Your device doesn't update keys. As a result, you may publish your revocation certificate to no effect whatsoever : items signed with your key will still be produced whether you signed the cert or not. The timing implicit in gpg signatures is documentedly unreliable - to the degree the mainainer insists it shouldn't be used. As a result your classic revocation cert does exactly 0. The correct way to do this is as indicated above, via a master key that both enacts and revokes the Cardano.

- Ability to read the private key for 30 minutes after generation for backup purposes if desirable

Oct 10 01:47:32 {asciilifeform} Vexual: if you were to introduce key importation, the zapper would have to come with cyanide.
Oct 10 01:47:51 {asciilifeform} whereas the answer to the inquisitor's 'where are the other copies' is correctly 'nowhere.'

- Ability to protect the key with a passphrase set with a text file that’s wiped each time it’s read and requires re-inputting each time the device is re-connected (the key generation would encrypt the key with the passphrase if such a file is found at key-generation time)

No. Absolute means absolute. This device guarantees electronic security if you guarantee physical security. If you do not guarantee physical security you need a different device, more expensive and otherwise designed. We will release it if there's a market for it, however we won't dork about with laughable, ill baked, pseudo "solutions" of the sort suggested. This is srs bzns.

- Ability to generate ECC keys instead of RSA keys

The only alternative worth the mention is the Cramer-Shoup, as per

Sep 28 12:10:42 {mircea_popescu} my current curiosity in the field is why isn't cramer–shoup more widely usedf.
Sep 28 12:11:16 {mircea_popescu} at any rate it should have been implemented in preference of elgamal

There may be a later version with C-S, but there won't likely be a version using multiple schemes and there probably won't be an ECC version. I don't trust ECC.

There may be a later version with C-S, but there won’t likely be a version using multiple schemes and there probably won’t be an ECC version. I don’t trust ECC.

From what I gather, it's not ECC itself which is faulty, but some implementations, especially some of the NIST-approved ones (and I believe this is mainly what Schneier was concerned about). Like RSA parameters, some elliptic curves are vulnerable, and it's a matter of choosing the right ones, and (unfortunately) not what some arbitrary institute or agency is promoting as "standard".

Again, from what I gather, the main advantage of ECC is not ECC itself, but the fact that it can be used in conjunction with existing crypto schemes (e.g. DSA -> ECDSA). I'm guessing that it has the potential to become of practical use in some years from now, after sufficient research and peer review on the matter.

Anyways, Cramer-Shoup looks quite interesting. Its only problem might be related to encryption of large amounts of data, as I understand the generated ciphertext is twice as large as in Elgamal.

While what you say re ECC is in principle true, sometimes people make heuristic calls. I have. The good news is that my calls are only mandatory for people working for me. The bad news is that my calls are historically quite on point.

I don't think data storage is quite SUCH a problem these days. As I say in the linked chatlog, I can see why they wouldn't have done it in the 90s, but it's 2013.

> The current plan is to trigger every sign or decrypt operation via a physical act (removal and reinsertion of the cable), or, alternatively, a button.

This doesn't help:

1. You want to sign something and thus connect the device to PC.
2. Attacker replaces the document to be signed with his own. (This is analogous to MitM attack.)
3. You press the button, or do whatever is necessary.
4. Attacker now has document he wants to be signed signed. Say, he might redirect money to his account.

@killerstorm Basically your position here is, you still haven't digested your intellectual inferiority, not to mention the social inferiority to which that condemns you, as discussed for instance here, or on the retardforum. Consequently you imagine calling a cherry "trash" because it's not "big enough" (like for instance an apple is big enough) is somehow going stick, and make it all better. This doesn't work in practice, principally because nobody cares what you think, or what you call things. Cherries still sell for about two to three times per pound what apples sell for, in spite of them being "really shitty apples". It also doesn't work in practice because even should you be able to somehow prove everyone else is just as fucking stupid as you are, that still wouldn't make you any smarter.

Please don't go reading past this point, as the rest of this comment consists of factual discussion, which is perfectly useless to you as it doesn't and couldn't meaningfully fit into the preconceived schematics you're emotionally invested into. Instead re-direct your effort to re-reading the previous paragraph, ideally over one hundred times, and perhaps even copy it down, by hand. Who knows, maybe through rote it makes it past the very tough carpace which allegedly contains your brain.

I. There's no means for the host machine to distinguish the Cardano from any other stick. If one suspects the machine he's connecting to might be attempting to hijack writes, that one can trivially insert a normal stick and see what happens.

II. What the Cardano does is that it guarantees the keys will not be compromised no matter what happens. This is it, nothing else, just like cups excel at holding liquids even if they make poor hammers, just like hangers excel at holding up clothes even if they make poor curettage equipment.

It is an unfortunate habit of the clueless youth to try and solve "all the problems" simultaneously, often in the same item. This "super-power" inspired approach to life leads to stuff like power-rangering, and it is always and everywhere a definitive sign of gross incompetence, the sort that requires revoking all priviledges for the afflicted and packing them back to school, preferably freshman highschool level.

If you are worried about an attack like this one, what you need is a full-scale secure terminal. Preferably with both keyboard and screen. This might be a future product - a somewhat more expensive one.

Our current objective, on the other hand, is merely to secure private keys.

"Ability to read the private key for 30 minutes after generation for backup purposes if desirable"

Personally, I agree, and I'd like to be able to make a paper backup copy of the key, to store somewhere safe.

But, I also understand the motive of being able to fully demonstrate that there are no other copies of the private key.

Couldn't the device just put a file next to the "PUB" file, called "EXPORT", whose contents will be an integer, which is the number of times the private key has been read out? If it's 0, then that proves that the key only exists on the Cardano. If the Cardano is zapped, the key is gone forever. If it's 1 or greater, then the key has been copied, and it's only as secure as your safe-deposit box.

To 'Backup' is a solution to a certain anticipated problem: 'key was destroyed or lost.' In the case of Cardano, you are being offered a different - more correct solution: revoke misplaced key by signing a message to this effect with your 'master' - or simply the next higher level of importance - key, and generate a new one.

Cardano will not tell you how many times a key has been read back because this is physically impossible. (Not reading back a key, that is; this is eminently possible, with inexpensive tools, if you insist! rather, determining how many heads have absorbed a piece of information, by whatever means, is an impossibility. Even if you can wire all the heads in the world to the mains socket in an attempt to get at the truth.)

All a machine could hope to tell you is: the number of times the key has been read out using the provided mechanism. Note that the Cardano - as currently specified -already does this! Simply scratch a 'zero' onto the cover. That'd be your readout.

My objective was not to be insulting, but to emphasize a useful fact: some of the ways in which cryptography is presently used are: simply dumb. Especially in the sense of systems which utter false promises to the user ('number of times key has been read.') Any system which is secure 'by protocol' (example: Bitcoin multi-signature payments) is also an example of this kind of false promise.

We are in the business not only of producing useful gadgets, but in that of making strictly those promises which can be kept, under the laws of arithmetic and physics as we presently know them.

It's not impossible, nor a false promise. It requires one extra byte of EEPROM. If the user makes no use of the 30 minute backup period, then the byte is zero. If the user does plug in the device in the first 30 minutes, then it will be non-zero. What is physically impossible about that?

In saturation arithmetic (assuming you haven't seen it before), when the one byte reaches 255, if you continue to increment it, it stays at 255. A counter limited to 255 is sufficient for this.

Without an RTC, you can just use a regular 30 minute countdown timer. If power is lost, the countdown terminates early, and the private key can no longer be read.

If you lend the Cardano to an enemy, or to the devil, the security is completely compromised anyway.

The user obviously can always get the key by reading the firmware out, extracting the decryption key from the firmware, and then decrypting the EEPROM. The counter would not count this. (If the Cardano as originally specified is meant to be able to defend against this, then please specify. If not, then it doesn't need to be counted as a read of the private key, because this attack is out of scope.) The counter only counts the number of reads during the initial 30 minute backup period.

So saturation arithmetic and all the rest of the technical solutions basically serve to discern between the following two situations : A. user makes a copy of the key which he then copies in three places vs B. user makes four copies of the keys.

Perhaps this may be useful in some circumstance. Or perhaps we should also add some DRM preventing copies made from being copied in turn, so the counter may be accurate.

The problem with design is that there are fundamentally two broad groups of designers : one that designs, the other that used to play with lego blocks and other similar toys in their childhood and never quite outgrew the habit, or indeed understood the difference between toys and tools, playing and working and so on.

No, the purpose of the counter is to distinguish between:
*The user has made zero copies of the key.
*The user has made at least one copy of the key.

In the former case, the device operates as originally specified, and provides all the guarantees originally specified. In the latter case, it allows key backup. Therefore, since it can operate in either mode, it is strictly adding a feature, and does not harm any existing functionality or guarantees.

If you want to criticize my credentials and use lightly veiled ad hominem attacks, I will inform you that I have written production cryptographic code, full disk encryption software, and verifications for existing encryption programs to confirm correctness of protocol. My day job is writing software for safety critical systems.

I wasn't discussing your credentials, I was discussing the process you found yourself involved in. The later is not reducible to the former.

An ad hominem atack works like this : someone makes a statement, and the proposition is made that on the grounds of who the someone is, the statement should be regarded a certain way (usually, false).

This is not what happened here. Instead, the statement was shown to be a certain number of different ways (all of which unflattering). This had then tacked on some observations intended to inform and instruct the author (ie, you) so that they may a) realise their intellectual inferiority, as displayed by their own actions and b) take steps to remedy said inferiority, to the degree such may be possible.

That the observations were general rather than particular in nature is mostly a function of the fact that the problems you struggle with are fundamental, and will require fundamental effort. A good example of this fundamental nature is the couple of confusions your most recent contribution includes, which had to be rectified in the foregoing paragraphs of this comment.

Now, I get it that you'd like to be friends and all, and I get that you'd like to help. The problem is that you predicate all this on it being accepted that your understanding of the topic at hand such as it stands is nevertheless equally valid and equally respectable to anyone else's. This is a bridge too far, unfortunately, and it poisons the entire exercise.

I will try to answer the original question - 'why no easy private key export.' Certain usage scenarios, while perfectly possible, are foolish. And there is no reason to encourage them. Tradition, luser habit, and the idiocy of other vendors are not worthy reasons.

If you were to make a copy of your private key, the 'zap' switch is now an empty threat. And your torturer has every incentive to house you in an oubliette until you reveal the location of the backup.

A user of a proper Cardano, housed in the same oubliette, could only be made to reveal the location of his master key (assuming one existed.) The use of which, to declare a key swap, is inevitably a /detectable/ event from the standpoint of confederates not yet in the oubliette. On top of this, coughing up a master key will not compromise the secrecy of past correspondence, the way revealing a backed-up Cardano key would.

Yes, you can extract your private key, if you insist - with a few dollars' worth of commonly-available instruments. You could also sharpen your Cardano and remove your appendix with it! We will make no attempt to stop you. But nothing written here should be seen as encouragement of these or similar follies.

So, the scenario is that the user has been captured by an enemy with no moral limits. His Cardano is in the ZAP position. The enemy wants to be able to digitally sign and decrypt the user's data, and will torture the user to do this.

If the user has a master key, he could give it up, allowing the enemy to sign a new key and make new digital signatures. This would look suspicious, and it would not allow decryption of old data.

If the user does not have a master key, and clearly does not have the Cardano private key, then there is nothing he can give up, and the enemy would not torture him for information. But, how does the enemy know that the Cardano private key he seeks was really permanently deleted by zapping? To avoid torture, the prisoner needs a way to prove these things:

1. The key was originally created by the Cardano, not a PC, and not a different Cardano. Therefore, it was only stored on that Cardano, and was destroyed in the ZAP process.
2. The key was never extracted by reading the firmware and EEPROM to decrypt it, and then saved somewhere
3. If this model of Cardano had the initial 30 minute key export, it was not used.

To solve number 3, the feature can just be removed, as you said. Any ideas for 1 or 2?

(1) is addressed, however imperfectly, by the deliberate lack of an easy key import/export mechanism. The enemy can usually presume that a Cardano private key was generated therein, and exists nowhere else. Exactly how much this increases one's chances of surviving the torture chamber is debatable, but it stands to reason that it should increase them.

A user concerned about (2) can pot his unit in epoxy (or the like) and then exhibit it (performing key generation) publicly, to provide credible denial.

(3) simply isn't happening, and therefore not a concern in the current design. when Cardano is off, it is galvanically off: unpowered. That means no clocks.

[...] them is much more desirable than letting an adversary read them , then a tool like the upcoming Cardano may be more desirable for its ability to destroy the private key. As you are hopefully starting to [...]

[...] The approach of No Such lAbs, the people behind the Phuctor, proceeds from the assumption of a generally more hostile computing environment, per their initial announcement of the Cardano: It is sad reality that such guarantees are all but absent in today’s computing world. We make it... [...]